Weekly Edition
Return to the Kernel page| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Who needs /dev/kmem?
Unix-like systems have, since nearly the beginning, offered a couple of character device files called /dev/mem and /dev/kmem. /dev/mem is a straightforward window into main memory; a suitably privileged application can access any physical page in the system by opening /dev/mem and seeking to its physical address. This special file can also be used to map parts of the physical address space directly into a process's virtual space, though this only works for addresses which do not correspond to RAM (the X server uses it, for example, to access the video adapter's memory and control registers).
/dev/kmem is supposed to be different in that its window is from the kernel's point of view. A valid offset in /dev/kmem would be a kernel virtual address - these addresses look much like physical addresses, but they are not. On commonly-configured i386 systems, for example, the base of the kernel's virtual address space is at 0xc0000000. The code which implements mmap() for /dev/kmem looks like this in 2.6.12:
if (!pfn_valid(vma->vm_pgoff)) return -EIO; val = (u64)vma->vm_pgoff << PAGE_SHIFT; vma->vm_pgoff = __pa(val) >> PAGE_SHIFT; return mmap_mem(file, vma);
The idea is to turn the kernel virtual address into a physical address (using __pa()), then use the regular /dev/mem mapping function. The problem, of course, is that the pfn_valid() test is performed before the given page frame number has been moved into the physical space; thus, any attempt to map an address in the kernel's virtual space will return -EIO - except on some systems with large amounts of physical memory, and, even then, the result will not be what the programmer was after. This mistake would almost certainly be a security hole, except that only root can access /dev/kmem in the first place.
Linus has merged a simple fix for 2.6.13. It does not even try to solve the whole problem, in that it still fails to properly check the full address range requested by the application. But the real question that has come out of this episode is: is there any reason to keep /dev/kmem around? The fact that it has been broken for some time suggests that there are not a whole lot of users out there. It has been suggested that root kits are the largest user community for this kind of access, but there are no forward compatibility guarantees for root kit authors. The Fedora kernel, as it turns out, has not supported /dev/kmem for a long time.
Removing a feature like that is not in the cards for 2.6.13. But, unless some sort of important user shows up, chances are that /dev/kmem will not survive into 2.6.14. Anybody who would be inconvenienced by that change should speak up soon.
(Log in to post comments)
Who needs /dev/kmem?
Posted Aug 18, 2005 4:04 UTC (Thu) by pengo (guest, #7787) [Link]
I imagine it would be useful for researchers (security and otherwise) trying to grasp what the overall kernel memory space looks like at any one time. Any such general purpose mechanism is going to have a myriad of unforeseen uses.
As a developer of a hex editor myself, I'd personally be sad to see it go.
Who needs /dev/kmem?
Posted Aug 18, 2005 5:23 UTC (Thu) by mingo (subscriber, #31122) [Link]
i think this says it all:
"It has been suggested that root kits are the largest user community for this kind of access, but there are no forward compatibility guarantees for root kit authors."
what would you use /dev/kmem for? If you are interested in runtime kernel internals then you probably want to apply the kgdb patch (or any other kernel debugger), that gives you vastly more options than /dev/kmem.
/dev/kmem has no real use today, other than rootkits - hence the removal from Fedora. It should be removed from mainline too.
Who needs /dev/kmem?
Posted Aug 18, 2005 5:28 UTC (Thu) by iabervon (subscriber, #722) [Link]
Most practical applications for /dev/kmem are better served by /proc/kcore, which has the same information, but structured as a core file.
Who needs /dev/kmem?
Posted Aug 18, 2005 6:28 UTC (Thu) by fenrus (guest, #31654) [Link]
and... more imporantly, a *read only* file.
Who needs /dev/kmem?
Posted Aug 18, 2005 13:37 UTC (Thu) by nix (subscriber, #2304) [Link]
Andi Kleen and others have pointed out that slamming values straight into kernel memory via /dev/kmem is useful in quick-hack kernel debugging.
Basically it should be a kernel debugging option, and thus off for the vast majority of systems.
Who needs /dev/kmem?
Posted Aug 19, 2005 0:21 UTC (Fri) by giraffedata (subscriber, #1954) [Link]
It's not just for debug hacking; other kinds of quick hacks are also made possible. Though I haven't used it yet, I'll keep /dev/kmem around regardless of what the mainstream ends up doing. I should probably use /proc/kcore, but I know it would take a significant amount of effort to learn its format, and probably to write code to interpret it. I could use /dev/mem, but again with a lot of unnecessary extra work.In Linux, we stress serving a diverse audience, so we don't ask "why should we keep this feature?" We ask, "why shouldn't we?" Things get dropped because no one is maintaining them, but not because no one is using them.
Who needs /dev/kmem?
Posted Aug 19, 2005 7:50 UTC (Fri) by dvdeug (subscriber, #10998) [Link]
If no one is using something, there's no point in it being maintained. And if the main users of a feature are rootkits, then it's a disadvantage to have it around at all.
Who needs /dev/kmem?
Posted Aug 19, 2005 16:15 UTC (Fri) by giraffedata (subscriber, #1954) [Link]
If no one is using something, there's no point in it being maintained
I agree with that, but don't find it relevant here. I.e. it's not relevant whether there's a point to maintaining something; what is relevant is what I said above: whether someone is maintaining it.
if the main users of a feature are rootkits, then it's a disadvantage to have it around at all.This is a common argument that I don't accept. If by "have it around," you mean have it present in kernel.org source trees. Not having it around by choosing not to configure it into your kernel makes sense to me.
The basic idea I oppose is fighting black hats by withholding tools they could use from the public. Aside from a basic uneasiness about withholding anything from the public, I also believe it has no significant effect, because if /dev/kmem isn't there already, the cracker will just bring his own. That's what rootkits are all about, after all. In any sensible security system, if a cracker has privilege to read and write /dev/kmem, then he also has privilege to load his own device driver.
[OT] Nice quote about root kits, should go into fortune
Posted Aug 25, 2005 21:36 UTC (Thu) by danilopiazza (guest, #32077) [Link]
It has been suggested that root kits are the largest user community for this kind of access, but there are no forward compatibility guarantees for root kit authors.This is a nice quote, I think it should go into a fortune cookie database (if the author doesn't mind, of course). See also this Debian bug report to check if I gave proper credit.
Who needs /dev/kmem?
Posted Sep 20, 2006 5:03 UTC (Wed) by maur0x (guest, #40613) [Link]
Hi,
This is my first message at this community, so let me tell you this site helped me a lot in the past.
I apologize for waking up this article that's been slept for a long time.
I was planning to make an investigation about mem devices. Unfortunately the most of the information i've found was about using it for programming some aplications (i.e. a "ps" for HP-UX), configuration and many other general uses mentioned before (debugging, patching, etc.) .
My first idea was to explain the background of these devices, the reasons why they were created at first time in AT&T Unix VI. Who used them. Design considerations. etc. I didn't find anything usefull to help me with this.
if someone does know some bibliography or link about this i will apreciate that.
Thanks in advance.
PD: Excuse my poor english.